Hacking

New Malware Campaign Spoofs GlobalProtect VPN to Distribute WikiLoader via SEO Poisoning

Published  ·  3 min read

A new malware campaign has been detected that targets users searching for Palo Alto Networks' GlobalProtect VPN software. The campaign, active since June 2024, is using a search engine optimization (SEO) strategy to deliver a variant of the WikiLoader (also known as WailingCrab) loader, marking a shift from previous methods of propagation such as phishing emails, according to researchers from Unit 42, Mark Lim, and Tom Marsden.

WikiLoader, which was first documented by Proofpoint in August 2023, has been linked to a threat actor known as TA544. In earlier attacks, the malware was used to deploy other malicious software such as Danabot and Ursnif via phishing campaigns. However, recent campaigns have introduced new tactics, including SEO poisoning, which is now being leveraged to spread the malware.

SEO poisoning involves manipulating search engine results to display malicious websites that masquerade as legitimate software downloads. In this case, attackers are targeting users who search for GlobalProtect VPN, redirecting them to a cloned website that appears to offer a legitimate download but instead initiates the malware infection process.

Once on the fake download page, users are tricked into downloading an MSI installer containing an executable named "GlobalProtect64.exe." This file, however, is a renamed version of a legitimate share trading application from TD Ameritrade (now part of Charles Schwab) and is used to sideload a malicious DLL named "i4jinst.dll." The sideloaded DLL then executes shellcode that ultimately downloads and launches the WikiLoader backdoor from a remote server.

To enhance the deception, the installer presents a fake error message at the end of the process, claiming that certain libraries are missing from the user's computer. This ruse further obscures the malicious activity.

The malware authors have also implemented anti-analysis techniques to detect if WikiLoader is running in a virtualized environment. If virtual machine software is detected, the malware terminates itself to evade detection by security tools.

While the exact reason for the shift from phishing emails to SEO poisoning is not clear, Unit 42 speculates that it may be the work of a different initial access broker (IAB) or a response by existing groups to public disclosure of their tactics.

"The combination of spoofed, compromised, and legitimate infrastructure leveraged by WikiLoader campaigns reinforces the malware authors' attention to building an operationally secure and robust loader, with multiple [command-and-control] configurations," the researchers noted.

The findings come on the heels of another recent discovery by Trend Micro, which identified a campaign targeting users in the Middle East with backdoor malware, also delivered through a fake GlobalProtect VPN software.

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067